njrat | 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

General

Target

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Size

319KB
MD5

d974e8a7e94fae3bef8b9a663057ba05
SHA1

02457284d0a0a05fc84e59fe6f34f4ee5f324df8
SHA256

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a
SHA512

a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd
SSDEEP

3072:XTn64mgLXEg36vdXheha1G+VedMdGW53aKzfBrKGdrsx7HD:Dn4gIR1XhYa11VedMdGYKGRsZ

Score

10^/10

njrat ﻣ̲ﺳ̲ﺗ̲ﺷ̲ﺂ̲ږ ﺂ̲بـﻟ̲يےﺳ̲trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ﻣ̲ﺳ̲ﺗ̲ﺷ̲ﺂ̲ږ ﺂ̲بـﻟ̲يےﺳ̲

C2

aaddbbkk.hopto.org:1177

Mutex

85d96ae9b74c6f98a30eae5caffd31d4

Attributes

reg_key
85d96ae9b74c6f98a30eae5caffd31d4
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

xwtpw32.exe

pid process

628 xwtpw32.exe
Loads dropped DLL 2 IoCs

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exe

pid process

320 5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
628 xwtpw32.exe

pid	process
628	xwtpw32.exe

pid	process
320	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
628	xwtpw32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe

description	pid	process	target process
PID 2036 set thread context of 320	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exe

pid	process
2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
628	xwtpw32.exe
628	xwtpw32.exe
628	xwtpw32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exe

description	pid	process
Token: SeDebugPrivilege	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: 33	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: SeIncBasePriorityPrivilege	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: 33	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: SeIncBasePriorityPrivilege	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: 33	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: SeIncBasePriorityPrivilege	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
Token: SeDebugPrivilege	628	xwtpw32.exe
Token: 33	628	xwtpw32.exe
Token: SeIncBasePriorityPrivilege	628	xwtpw32.exe
Token: 33	628	xwtpw32.exe
Token: SeIncBasePriorityPrivilege	628	xwtpw32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exexwtpw32.exe

description	pid	process	target process
PID 2036 wrote to memory of 320	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 2036 wrote to memory of 320	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 2036 wrote to memory of 320	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 2036 wrote to memory of 320	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 2036 wrote to memory of 320	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 2036 wrote to memory of 320	2036	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
PID 320 wrote to memory of 628	320	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	xwtpw32.exe
PID 320 wrote to memory of 628	320	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	xwtpw32.exe
PID 320 wrote to memory of 628	320	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	xwtpw32.exe
PID 320 wrote to memory of 628	320	5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe	xwtpw32.exe
PID 628 wrote to memory of 904	628	xwtpw32.exe	xwtpw32.exe
PID 628 wrote to memory of 904	628	xwtpw32.exe	xwtpw32.exe
PID 628 wrote to memory of 904	628	xwtpw32.exe	xwtpw32.exe
PID 628 wrote to memory of 904	628	xwtpw32.exe	xwtpw32.exe

C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
"C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
C:\Users\Admin\AppData\Local\Temp\5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
"C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
4⤵
PID:904

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
Filesize
319KB

MD5
d974e8a7e94fae3bef8b9a663057ba05

SHA1
02457284d0a0a05fc84e59fe6f34f4ee5f324df8

SHA256
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

SHA512
a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwtpw32.exe
Filesize
319KB

MD5
d974e8a7e94fae3bef8b9a663057ba05

SHA1
02457284d0a0a05fc84e59fe6f34f4ee5f324df8

SHA256
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

SHA512
a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd

Download Submit
\Users\Admin\AppData\Local\Temp\xwtpw32.exe
Filesize
319KB

MD5
d974e8a7e94fae3bef8b9a663057ba05

SHA1
02457284d0a0a05fc84e59fe6f34f4ee5f324df8

SHA256
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

SHA512
a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd

Download Submit
\Users\Admin\AppData\Local\Temp\xwtpw32.exe
Filesize
319KB

MD5
d974e8a7e94fae3bef8b9a663057ba05

SHA1
02457284d0a0a05fc84e59fe6f34f4ee5f324df8

SHA256
5eb8e9fdad7d5b0ce0dbff63dc0feb53af5093f01888403bb426b0c13e7c572a

SHA512
a683482f2e585bb5f5e1e342c660f63b279317dfbd8ff23b306546eeb52c15e3659c85b94b2e5de80d8400cde6a1ca9f0d301b3e9cd608c6415d152a456ba9dd

Download Submit
memory/320-58-0x00000000004074FE-mapping.dmp

Download
memory/320-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/320-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/320-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/628-67-0x0000000000000000-mapping.dmp

Download
memory/628-70-0x00000000002E0000-0x0000000000336000-memory.dmp

Filesize
344KB

Download
memory/628-73-0x0000000004B65000-0x0000000004B76000-memory.dmp

Filesize
68KB

Download
memory/628-74-0x0000000004B65000-0x0000000004B76000-memory.dmp

Filesize
68KB

Download
memory/2036-63-0x0000000001005000-0x0000000001016000-memory.dmp

Filesize
68KB

Download
memory/2036-64-0x0000000001005000-0x0000000001016000-memory.dmp

Filesize
68KB

Download
memory/2036-54-0x00000000011B0000-0x0000000001206000-memory.dmp

Filesize
344KB

Download
memory/2036-56-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2036-55-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads